Technology – Page 30 – A Geek With Guns

LastPass Opts to Release Ad Supported “Free” Version

My hatred of using advertisements to fun “free” services is pretty well known at this point. However, it seems that a lot of people prefer the business model where they’re the product instead of the customer. Knowing that, and knowing that password reuse is still a significant security problem for most people, I feel the need to inform you that LastPass, which still remains a solid password manager despite being bought by LogMeIn, now has an ad supported “free” version:

I’m thrilled to announce that, starting today, you can use LastPass on any device, anywhere, for free. No matter where you need your passwords – on your desktop, laptop, tablet, or phone – you can rely on LastPass to sync them for you, for free. Anything you save to LastPass on one device is instantly available to you on any other device you use.

Anything that may convince more people to start using password managers is a win in my book. People who don’t utilize password managers tend to reuse the same credentials on multiple sites, which significantly increases the damage that a password database leak can cause. Furthermore, using a password manager lowers the hurdle for using strong passwords. Instead of having to use passwords that are memorizable a password manager also allows users to use long strings of pseudorandom characters, which means if a password database is breached the time it takes to unveil their password from its stored hash is significantly increased (because the attacker has to rely on brute force instead of a time saving method such as rainbow tables).

If money has been the only thing that has held you back from using a password manager you should take a look at LastPass’s “free” version. While ads are a potential vector for malware they can be blocked with an ad blocker and the risk of being infected through ads is significantly less than the risks involved in not using a password manager.

More Malware Spreading Through Advertising

My biggest grip with the advertisement based model most Internet services have opted to use is that ads can easily be used to spread malware. Because of that I view ad blockers as security software more than anything. And the Internet seems to enjoy proving my point every few weeks:

As a security researcher, it’s always exciting to discover new vulnerabilities and techniques used by malicious actors to deliver malware to unsuspecting users. These moments are actually quite rare, and it’s increasingly frustrating from a researcher’s perspective to watch the bad guys continue to use the same previously exposed methods to conduct their malicious operations.

Today’s example is no different. We discovered a malvertising campaign on Google AdWords for the search term “Google Chrome”, where unsuspecting MacOS users were being tricked into downloading a malicious installer identified as ‘OSX/InstallMiez’ (or ‘OSX/InstallCore’).

In this case the malware didn’t spread through a browser exploit. Instead it exploited the weakest component of any security system: the human. The malware developers bought ads from Google so that their link, which was cleverly titled “Get Google Chrome”, would appear at the very top of the page. This malware was targeted at macOS users so if you were a Windows user and clicked on the link you’d be redirected to a nonexistent page but macOS users would be taken to a page to download the malware installer. After running the installer the malware opens a browser page to a scareware site urging you to “clean your Mac” and then downloads more malware that opens automatically and urges the user to copy it to their Applications folder.

As operating systems have become more secure malware producers have begun relying on exploiting the human component. Unfortunately, it’s difficult to train mom, dad, grandpa, and grandma on proper computer security practices. Explaining the difference between Google advertisement links and Google search result links to your grandparents is often a hopeless cause. The easiest way of dealing with that situation is to hide the ads, and therefore any malware that tries to spread via ads, from their view and ad blockers are the best tools for that job.

Unfortunately, the advertisement based model isn’t going away anytime soon. Too many people think that web services are free because, as Bastiat explained way back when, they’re not seeing the unseen factors. Since they’re not paying money to access a service they think that the service is free. What remains unseens are the other costs such as being surveilled for the benefit of advertisers, increased bandwidth and battery usage for sending and displaying advertisements, the risk of malware infecting their system via advertisements, etc. So long as the advertisement based model continues to thrive you should run ad blockers on all of your devices to protect yourself.

The Weakest Link in a Security System is Usually the Human Component

No matter how secure you make your network you will always have one significant weakness: the users. Humans are terrible at risk management and if somebody doesn’t understand the risks involved in specific actions it is almost impossible to train them not to do those actions. Consider phishing scams. They often rely on e-mails that look like they’re from a specific site, say Gmail, that include a scary message about your account being unlawfully accessed and a link to a site where you can log in to change your password. Of course that link actually goes to a site controlled by the phisher and exists solely to steal your password so they can log into your account. But most people don’t understand the risks of trusting any official looking e-mail and visiting whatever link it provides and entering their password so training people not to fall for phishing scams is a significant challenge.

Even people who are in positions where they should expect to be targets of hackers fall for phishing scams:

On March 19 of this year, Hillary Clinton’s campaign chairman John Podesta received an alarming email that appeared to come from Google.

The email, however, didn’t come from the internet giant. It was actually an attempt to hack into his personal account. In fact, the message came from a group of hackers that security researchers, as well as the US government, believe are spies working for the Russian government. At the time, however, Podesta didn’t know any of this, and he clicked on the malicious link contained in the email, giving hackers access to his account.

While the United States government and some security researchers point the finger at Russia it should be noted that this kind of scam is trivial to execute. So trivial that anybody could do it. For all we know the e-mail could have been sent by a 13-year-old in Romania who wanted to cause a bunch of chaos for shits and giggles.

But speculating about who did this at this point is unimportant. What is important is the lesson that can be taught, which is that even people in high positions, people who should expect to be targets for malicious hackers, screw up very basic security practices.

If you want to make waves in the security field I suggest investing your time into researching ways to deal with the human component of a security system. Anybody who finds a more effective way to either train people or reduce the damage they can do to themselves (and by extent whatever organizations they’re involved in) while still being able to do their jobs will almost certain gain respect, fame, and fortune.

Denying Math

Many of the e-mails released by WikiLeaks about Clinton’s campaign have been, shall we say, embarrassing. Of course the e-mails haven’t dissuaded Clinton’s true believers but they might cause a slight inconvenience during the election if people on the fence begin to perceive her for the criminal she is. The only defense the campaign has offered against any of these e-mails is that they are fake but math doesn’t lie:

In order to bloc spam, emails nowadays contain a form of digital signatures that verify their authenticity. This is automatic, it happens on most modern email systems, without users being aware of it.

This means we can indeed validate most of the Wikileaks leaked DNC/Clinton/Podesta emails. There are many ways to do this, but the easiest is to install the popular Thunderbird email app along with the DKIM Verifier addon. Then go to the Wikileaks site and download the raw source of the email https://wikileaks.org/podesta-emails/emailid/2986.

Cryptographic signatures are wonderful things. In addition to verifying that a communication was sent by a specific individual or organization, cryptographic signatures also indicate whether or not the contents of the communication have been altered. Thanks to anti-spam measures we have a form of digital signature on many e-mails by default. This means that we can verify that the WikiLeak released e-mails remain unaltered.

A failure to understand the technology they’re using continues to bite politicians in the ass. But it’s good for us mere plebs because it gives us a glimpse behind the curtains of the State and that glimpse continues to show uglier and uglier things.

Public-Private Surveillance Partnership

People often split surveillance into public and private. Public surveillance is perform directly by the State and is headed by agencies such as the National Security Agency (NSA), Federal Bureau of Investigations (FBI), and Central Intelligence Agency (CIA). Private surveillance is performed by corporations such as Harris Corporation, Facebook, and AT&T. Some libertarians and neoconservatives like to express a great deal of concern over the former because it’s being performed by the State but are mostly accepting of the latter because they believe private entities should be free to do as they please. However, the divide between public and private surveillance isn’t so clean cut. Private surveillance can become public surveillance with a simple court order. Even worse though is that private surveillance often voluntarily becomes public surveillance for a price:

Investigators long suspected Charles Merritt in the family’s disappearance, interviewing him days after they went missing. Merritt was McStay’s business partner and the last person known to see him alive. Merritt had also borrowed $30,000 from McStay to cover a gambling debt, a mutual business partner told police. None of it was enough to make an arrest.

Even after the gravesite was discovered and McStay’s DNA was found inside Merritt’s vehicle, police were far from pinning the quadruple homicide on him.

Until they turned to Project Hemisphere.

Hemisphere is a secretive program run by AT&T that searches trillions of call records and analyzes cellular data to determine where a target is located, with whom he speaks, and potentially why.

[…]

n 2013, Hemisphere was revealed by The New York Times and described only within a Powerpoint presentation made by the Drug Enforcement Administration. The Times described it as a “partnership” between AT&T and the U.S. government; the Justice Department said it was an essential, and prudently deployed, counter-narcotics tool.

Before you decide to switch from AT&T to Verizon it’s important to note that every major cellular provider likely has a similar program but they haven’t been caught yet. We know, for example, that Sprint has a web portal to make law enforcement access to customer data quick and easy and Verizon has a dedicated team for providing customer information to law enforcers. Those are likely just the tips of the icebergs though because providing surveillance services to the State is lucrative and most large companies are likely unwilling to leave that kind of money on the table.

At one time I made a distinction between public in private surveillance insofar as to note that private surveillance doesn’t lead to men with guns kicking down my door at oh dark thirty. It was an admittedly naive attitude because it didn’t figure how private surveillance becomes public surveillance into the equation. Now I make no distinction because realistically there isn’t a distinction and other libertarians should stop making the distinction as well (neoconservatives should also stop making the distinction but most of them are beyond my ability to help).

Your Fingerprint Sensor Sucks But You Shouldn’t Feel Bad

Kai Kloepfer’s fingerpint based firearm access control system is back in the news:

Presented at the 2016 International San Francisco Smart Gun Symposium (ironic, considering the city shuttered its last gun shop in 2015), then 18-year-old Kai Kloepfer presented a new handgun design that incorporates a fingerprint reader. Young Mr. Kloepfer is sponsored by angel investor Ron Conway, who’s Smart Tech Challenges Foundation is spending $1.5 million for the development of “firearms safety technology.” Kloepfer is one of about 15 start-ups that Conway is sponsoring.

The design has been in skunk-works for over four years. Kloepfer’s start-up, Biofire, is “just a few months from a live-firing prototype, which assuming it works, will be the first gun to unlock like an iPhone.” This is untrue, as multiple finger-print reader base firearms have existed before, specifically Kodiak Industries with their Intelligun

Needless to say, the Internet gun community is flipping its shit again (in the comments sections of gun sites). A lot of valid criticisms have been made against Kloepfer’s technology. Some of those criticisms are the fact that his prototype isn’t lefthand friendly, people don’t always grip guns in the same way, fingerprint readers aren’t 100 percent reliable, batteries die, etc. I won’t go into detail on those. What I will go into detail on is the fact fingerprint sensors suck for access control.

As far back as 2013 the Chaos Computer Club (CCC) was bypassing Apple’s TouchID by obtaining a photograph of an authorized user’s fingerprint from a glass surface. No big deal, right? After all, somebody would have to find something you touched to lift your fingerprint from to bypass Kloepfer’s authentication system. That would require either breaking into your home or following you around in the hopes that you will touch something that your fingerprint can be reliably lifted from. Of course you also have the fact that in 2014 a member of the CCC was able to replicate a politician’s fingerprint from a photograph. You don’t need to follow somebody around to lift their fingerprint. You can just take a high resolution photograph of their hand when they’re out and about. And unlike Touch ID, which allows you to use any finger for authentication, the position of Kloepfer’s sensor means you know exactly what fingerprint you need to bypass the mechanism.

I’ve said this before but it bears repeating, fingerprints suck as authentication mechanisms. There are two reasons for this. First, you leave your fingerprints everywhere. Second, if your fingerprints are obtained by somebody you can’t change them.

With that said, I think criticisms against Kloepfer have been unnecessarily harsh. While his product is defective he should receive credit for trying to create something new. I know many gun owners like to scream “Never!” whenever somebody mentions firearm authentication systems but I believe there is a market for such products. Households with small children or mentally disturbed individuals, for example, could benefit from firearms with authentication systems (I know, people should lock up their firearms, but shit happens and having another barrier between a child or mentally disturbed individual and a functional firearm isn’t a bad thing). Kloepfer shouldn’t receive a bunch of hatred for exploring a market. And I say this as somebody who isn’t even in that market (I have no interest in complicating my firearms with access control technology but different strokes for different folks).

This is where some gun owner usually brings up New Jersey’s law that will mandate all firearms sold in the state be equipped with access control mechanisms once the technology is available. In response I will point out that the anger should be directed at the government of New Jersey, not Kloepfer and other people trying to bring access control technology to firearms. They’re building a product that may be useful to people even in the absence of such a law, they didn’t pass the law and aren’t sending goons out to enforce it.

In summary Kloepfer’s technology sucks but he shouldn’t feel bad for developing it. Also, governments suck but that’s more of a summary of this entire blog than this specific post.

You’re Not the Customer, You’re the Product

There ain’t no such thing as a free lunch (TANSTAAFL). Whenever somebody appears to be giving you something for free it likely means you’re the product, not the customer. Social media is a prime example of this. A lot of people claim that social media sites such as Facebook and Instagram are Central Intelligence Agency (CIA) products meant to surveil the populace. I personally don’t believe any government agency is clever enough to come up with a successful product like Facebook. But I also know they don’t care because they understand that Facebook exists to mine and sell information so they can forego the expenses of starting a service and just buy the data.

Geofeedia was recently caught selling social media data to law enforcement departments. The company managed to get its hands on this data by simply becoming a paying customer for sites such as Facebook and Twitter. Once the company was a paying customer it could grab user data, which is the real product, and package it up to sell to law enforcement departments.

But United States law enforcers aren’t the only buyers of social media data. Government agencies across the blog pay top dollar for surveillance data. The British Transport Police were also buying social media data:

The BTP, meanwhile, has purchased software called RepKnight. According to the company’s website, RepKnight can help identify, investigate or prevent political unrest, criminal activity, and activists. It can also be used to investigate DDoS attacks.

As well as searching Facebook, Reddit, Twitter and other social networks, RepKnight can be used for “sentiment analysis,” which presents users with “an instant summary of the mood across your search results, letting you quickly spot if something’s going wrong,” RepKnight’s site reads. Customers can use the service through a normal web browser, as well as on tablets and mobile phones.

In all, the BTP has spent £41,400 ($50,500) on purchasing the software and annual licenses for its use since July 2014, according to figures published by the Department for Transport.

A lot of people mistakenly believe their personal information isn’t worth anything. These are the people that usually say “Nobody cares what I do, I’m boring.” or “If they spy on me they’ll be bored.” or something else along those lines. But BTP forked out $50,000 just to surveil the seemingly mundane lives of everyday people. In other words, even the most boring person’s data is valuable.

What’s interesting is RepKnight seems to have some interesting capabilities. Geofeedia seems to be tailored towards surveillance but RepKnight seems to be tailored towards crushing political dissidence by allowing customers to go so far as launch a distributed denial of service (DDoS) attack.

As more of our lives move online the public-private surveillance partnership will continue to grow. Don’t be surprised if you’re pulled over in the near future and the law enforcer drags you out of your vehicle and beats the shit out of you because the surveillance software on his car’s laptop pulled up a negative commend you made about the police (the software, of course, will be loaded to enhance officer safety).

You’re the Product, Not the Customer

In his novel The Moon is a Harsh Mistress, Robert Heinlein coined the phrase there ain’t no such thing as a free lunch (usually abbreviated as TANSTAAFL). The phrase is used by the main characters of the book to remind themselves and others that there’s no such thing as free. This is a lesson too many people fail to learn in real life. People are obsessed with the fantasy of free. They want free food, free money, free healthcare, and free online services.

People commonly make the mistake that online services such as Facebook and Twitter are free. On the surface they appear to be free since you don’t pay to use them. But TANSTAAFL. When you’re using a service for free you’re not the customer, you’re the product:

The American Civil Liberties Union on Tuesday outed Facebook, Twitter, and Instagram for feeding a Chicago-based company their user streams—a feed that was then sold to police agencies for surveillance purposes.

[…]

Geofeedia, which did not respond for comment, says it has more than 500 customers, including the Denver Police Department. That agency recently signed a $30,000 annual deal with the company. The money came from the agency’s “confiscation” fund. The department’s intelligence agency’s top brass wrote that it would allow cops to analyze and respond in real time to “social media content from anywhere in the world.”

Geofeedia, the actual customer, has been paying for Facebook, Twitter, and Instagram’s product, your personal information. It has then been turning around and selling it to various police departments, which use the information to more effectively expropriate wealth from the people they victimize. The only person not making any money on this deal is you. In fact, you’re losing money if any of the sold information about you is used by the police to take some of your wealth.

Because this revelation could turn into a loss of product for these sites they have apparently announced that they’ve cut off Geofeedia’s access. That shouldn’t make you feel better though. That access can be regranted at any time and there are likely many other companies doing the same thing as Geofeedia who just haven’t been caught yet. So long as you continue to be the product you shouldn’t believe any of your information is safe.

We’re All Terrorists Now

In many governmental circles I’m considered a terrorist sympathizer. Why? It’s not because I’ve sold arms to terrorists or provided them logistical support. It’s because I teach people how to use secure communication tools, which can get you arrested in certain parts of the world:

Samata Ullah, 33, was charged with six terrorism offences after being arrested in a street in Cardiff on September 22 by officers from Scotland Yard’s counter-terrorism squad.

The charge sheet includes one count of preparation of terrorism “by researching an encryption programme, developing an encrypted version of his blog site, and publishing the instructions around the use of [the] programme on his blog site.”

Ullah is also accused of knowingly providing “instruction or training in the use of encryption programmes” in relation to “the commission or preparation of acts of terrorism or for assisting the commission or preparation by others of such acts.”

He has additionally been charged with being in possession of a “Universal Serial Bus (USB) cufflink that had an operating system loaded on to it for a purpose connected with the commission, preparation, or instigation of terrorism.”

This is the nightmare Orwell alluded to in Animal Farm and Nineteen Eighty-Four. The State has become so controlling that merely providing an encrypted version of your blog, which I am currently doing since my blog is served exclusively over HTTPS, can be considered noteworthy enough to mention on a list of charges. The same goes for USB cufflinks. We are at a point that even mundane activities can be labeled criminal offenses if the State decides thrust the word terrorism upon you.

I have no doubts that this will come to the United States. The United Kingdom seems to be where new tyrannies are birthday and the United States seems to be where tyrannies go to grow up. And anybody who watched the hearings surrounding Farook’s iPhone, which the Federal Bureau of Investigations (FBI) wanted to force Apple to break into, knows that the United States government is already at war with cryptography. If it passes a law mandating all domestic encryption include a government accessible back door I’ll be a criminal for teaching people how to use secure foreign encryption.

Apparently CNC Machines Don’t Exist

Cody Wilson stirred up a lot of controversy when he released designs for the Liberator, a single shot pistol constructed with a 3D printer. Why did a pistol constructed of materials that were guaranteed to fail after firing relatively few shots and couldn’t be scaled up to a powerful caliber? Because most gun control advocates have no concept of how guns work. That leads them to fear imaginary devices such as the mythical Glock 7 from Die Hard, which lead to the passage of the Undetectable Firearms Act. Another reason is that most gun control advocates are apparently unaware that computer numerical control (CNC) machines are a thing:

Even after reading his book, I’m still not sure what he means by this. Sure, plenty of open-source zealots favor software that can be edited, freely, by anyone. However, there is a crucial distinction here: no software, until the one created by Wilson and his followers, has ever been used to create a physical device that fires lethal bullets.

The Liberator was not the first gun created using software. In fact most modern guns are initially created using computer aided design (CAD) software, frequently simulated in software before being created, and sometimes built using a CNC machine. Software has been used to create guns for a while now. What Cody Wilson did wasn’t revolutionary, it was evolutionary. He managed to make a firearm with inferior equipment and materials that provided the most basic requirements to qualify as a firearm. I don’t mean to understate his contribution to firearms manufacturing but his real revolution, in my opinion, was to illustrate how irrelevant gun control is, especially as we march into a future where home fabrication will become easier and be able to utilize better materials.

Technology has always been the death knell of centralized control. While gun control advocates cling to their belief that a powerful central government can make all of the bad things go away the rest of the world is moving on and doing what it damn well pleases. I don’t fear gun control because I realize it’s a lost cause. Cody Wilson helped illustrate that to the world with the Liberator.